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Minutes of Meeting — 28 November 2019 


NRS AUDIT AND RISK COMMITTEE MEETING 


28 November 2019 
Room 1/G/8, Ladywell House, Edinburgh 


Committee Member, Non-Executive Director (Chair) 
Committee Member, Non-Executive Director 
Committee Member, Non-Executive Director 

Audit Scotland, External Auditor 

Scottish Government, Internal Auditor 

NRS, Chief Executive 

NRS, Director of Corporate Services & Accountable 
Officer 

NRS, Chief Financial Officer 

NRS, Census 2021 Programme Director (Item 3) 
NRS, Census 2021 Delivery Advisor 

NRS, Business Management (secretariat) 

NRS, Business Management Unit ( observer) 
Scottish Government, Internal Audit (observer) 


Scottish Government, Internal Auditor 
Audit Scotland, External Auditor 


1. Welcome, Introductions and Declaration of Interests 


1.1. The Chair welcomed everyone to the meeting. The Chair welcomed Christine 


Martin, recently appointed NRS Non-Executive Director to her first meeting. It was 
noted that Stephen Bourne was attending to deliver the Scotland’s Census 2021 
Programme Update. Apologies and observers were noted as listed. 


1.2 Christine Martin declared an interest as a member of the Audit and Risk 
Committee for Registers of Scotland. No other new Declarations of Interest were 
noted. 


2. Minutes and Actions 


2.1 The minutes of 5 September 2019 were accepted. The minutes would be 

published on the NRS website, governance page. 

2.2 Actions were reviewed as follows: 

e Action A06/19: Census Programme — standing report on high level risks. The 
action had been completed, item on the agenda and noted for future 
meetings. Action: Completed. 

e Action A07/19: Induction and training opportunities for ARC. The action was 


Ongoing and consideration would be given to a programme of building 
tours/opportunity to engage with business areas for NXDs during spring 
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2020, alongside exploring opportunities with SG Public Bodies Unit and 
Digital Directorate. Action: ongoing. 


3. Risk Deep Dive - NRS Census 2021 Risk Management- Stephen Bourne 


3.1 Paul Lowe provided an overview of the changes made in the census team to 
strengthen resource and expertise around programme management. Steven Bourne, 
had recently taken up the role of Programme Director. Additional programme 
management and digital consultancy had been put in place over recent months and a 
revised Programme Management Office function was being established. 


3.2 Stephen Bourne summarised the paper which provided: 
e Details of programme governance improvements and updated governance 
structures being progressed 
e Arevised monthly programme governance cadence. 
e Asummary of programme risk management recommendations. 
e Areporton 10 strategic risk themes identified following review of the existing 
risk register for the programme. 


3.3 The Committee discussed the report as follows: 

e Revised 2021 Census Programme governance - had previously been 
reported at ARC. The Committee considered that visibility into the 
programme had improved. ARC Committee member, Bill Matthews was 
attending Census Programme Board (CPB) meetings and reported that 
improvements to the CPB’s function had emerged. A revised membership 
was also enabling appropriate discussion and scrutiny. Improvement action 
was planned to continue across the programme, focussing on the supporting 
governance groups, risk management and reporting as well as refining the 
business considered by the Census Programme Board over the coming 
months. A further update would be reported to the Committee at the meeting 
in March 2020. The Committee heard that Paul Lowe also reported Census 
risk into Scottish Government governance through the DG Economy Audit 
Assurance Committee. 

e Risk management process — the Committee noted ongoing work to 
strengthen processes, including achieving greater clarity around risk action 
ownership. 

e Census fraud risk - The Committee discussed this risk and updates were 
provided in relation to counter-fraud activities, including engagement with 
Police Scotland during Census rehearsal and cybersecurity work that was 
being taken forward, which included plans to have a 24/7 Security 
Operations Centre (SOC). 

e 2021 Census Programme strategic risk themes — The Committee welcomed 
the approach to identify risk themes. It was noted that work continued to 
deepen the understanding around mitigating actions. In discussion, the 
Committee sought reassurance around the detailed understanding of risk 
and suggested highlighting activity around: 
> Risk theme R002 — Penetration testing and insider threats, 
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> Risk theme R002 and R004 — Consider joining risk together as both relate 
to data. 

> Risk theme R009 — External events impacting, noting that mitigation 
actions may be more challenging to identify. 

e Census response and benefits - The Committee discussed opportunities to 
increase inclusion in the census as well as completeness of returns, and 
heard a revision of census benefits was in progress and would be linked into 
the communication strategy and plans for 2021. 

e The Committee suggested a deep dive on two of the strategic risk themes 
would be welcomed at the next committee meeting. 


Action A8/19: Census Risk — Deep dive on two topics to be added to next and 
future forward look. Owner: Stephen Bourne/Census Programme 
Management Team 


4. Risk Deep Dive — Cyber Security — Laura Lucas 


4.1 The presentation was delivered by Laura Lucas and addressed key questions 
for Boards from the National Cyber Security Centre’s Board Toolkit. 


4.2 The following points were discussed: 

e Data classification — The Committee heard that a data classification system 
to catalogue, manage and control the different data assets of NRS was in 
place. 

e Assurance support and challenge — The Committee asked how this was 
managed. It was noted that the NRS approach was to access expertise from 
outside the organisation as well as utilising skilled resource from SG Internal 
Audit and Digital Directorate. Technical Assurance Framework (TAF) and 
Gateway reviews, were examples of recent assurance provided to NRS for 
the 2021 Census Programme. 

e Staff training for cyber security — It was confirmed that all staff who joined 
NRS received security awareness training. An annual refresh was also 
being considered alongside other NRS requirements for on-line training. 

e Cyber security and information governance policies — The Committee were 
advised of current approaches for the sign-off of controls, which were being 
implemented as part of the Census governance improvements. A security 
programme was being initiated as part of the Digital and Strategy Board, to 
improve the approach and controls, as well as driving collaboration and 
understanding across NRS information governance, physical and IT 
security. 


4.3 The Committee thanked Laura for a comprehensive presentation which 
indicated that expected controls are largely in place and working as intended. 
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5. NRS Assurance Report — Linda Sinclair 


5.1 The report provided an update on NRS assurance activities since the report to 
the previous ARC in September 2019. 


5.2 Paul Lowe outlined the Technical Assurance Framework (TAF) review process 
to the Committee. 


5.3 Linda updated ARC on the outcome of a recent TAF review, pre-procurement 
gate for the 2021 Census in relation to mobile workforce management tools and 
devices. The status was reported as green. The tender would be issued for 
procurement. It was noted that Amber-Green assessments had been received for the 
pre-procurement TAF gates for field force and contact centre, actions were being 
worked through to achieve sign off from Digital Assurance Office. 


5.4 Linda Sinclair provided ARC members with an update on the progress to 
develop an assurance map for NRS. 


6. NRS Finance Report 2019-2020 — End Period 7 — Steven Hanlon 


6.1 Steven Hanlon presented the report which provided the financial position at the 
end of period 7 of the 2019-2020 FY. 


6.2 The Committee heard that the reported overall figure for NRS originated from 
component parts from core NRS and the Census Programme. Overall a small 
projected underspend was noted. There were uncertainties arising from the elements 
of the Census Programme, which were understood and would continue to be 
monitored and reported to the Census Programme Board and Executive Management 
Board. 


6.3 The capital budget continued to be managed centrally for 2019-2020. Linda 
Sinclair indicated that the Digital and Strategy Board had met and was reviewing 
business cases and proposals. 


7. Internal Audit Progress Report — Lorraine Twyford 


7.1 Lorraine Twyford introduced the paper and indicated the 2019-2020 plan was 
on track. Follow-up activity on two Census 2021 reviews had concluded, as had the 
Workforce Planning action follow-up. 


7.2 Two audit reviews had been carried out during 2019-2020, firstly, Programme 
and Project Management West Register House and secondly, NRS Governance. Both 
ad concluded the fieldwork with draft reports issued, with both reported as Substantial 
Assurance . 


7.3 A terms of reference (TOR) for the planned review of IT Services Procurement 
Process had been drafted. Field work was expected to commence in January 2020. 
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7.4 Audit Scotland indicated no paper had been prepared for the meeting, however, 
planning for 2019-2020 audit was due to commence and following engagement with 
NRS Finance would be submitted at the next ARC meeting for consideration. 


8. NRS Governance Report — Linda Sinclair 


8.1 Linda Sinclair introduced the report. The Committee noted that the format and 
content of the report was helpful. 


8.2 Paul Lowe indicated additional senior manager resource had been recruited to 
lead delivery of change across NRS, with a planned start date of January 2020. 


8.3 The Committee heard that thematic risk reporting had been introduced as part 
of NRS Executive Management Board scrutiny of corporate risk. 


9. Audit & Risk Committee Forward Look — Colin Ledlie 


9.1 The report was included for information and outlined proposed ARC business 
for the next twelve months. Business for the next meeting would include risk 
management deep dive, follow-up to Census deep dive on risk theme and a follow- 
up on a previous deep dive on NRS Estates. 


10. Date of next meeting — 5 March 2020 
END 


